I couldn't agree more. I just bought one on Saturday, then heard about all of this today, and I'm trying to get to the bottom of this before the return-for-a-refund window ends. :-) I don't have enough information right now, but I'll update this thread when that changes.

I'm one of the researchers who presented the Z-Wave security talk in Las Vegas last week and was informed about this forum thread via an email message. I'd like to give you some update about our research. During our talk :

a) We demonstrated the un-encrypted devices (the ones that do not implement SECURITY_CLASS) such as motion sensors could be disabled remotely by using our Z-Wave packet injector (Z-Force)

b) We also demonstrated an attack against Z-Wave security protocol implementation in an AES door lock that could reset the network key to a known value remotely and enable the attacker to take full control of device (unlock, set PIN, etc)

Due to BlackHat conference's content embargo, we would not be able to publish our research paper and slides until August 15th, after which those will be available on the following URLs:

b) We also demonstrated an attack against Z-Wave security protocol implementation in an AES door lock that could reset the network key to a known value remotely and enable the attacker to take full control of device (unlock, set PIN, etc)

Thanks, very much for coming in and clarifying the situation. My remaining uncertainty is whether the lock compromise was a vulnerability in the Z-Wave protocol or in a particular lock's implementation. If the latter, which one and have you contacted the manufacturer about the vulnerability?

We discovered this issue in a European Z-Wave door lock , but as there was an strong evidence that the root cause of the vulnerability (a protocol implementation error) could be present in other door lock brands, we decided to report the vulnerability directly to the Z-Wave vendor (Sigma Designs) and they should have communicated it to the device manufacturers to make sure their products are not affected.

The first post in this thread links to an article about three BlackHat talks. Redwood's is one of them, and we'll have to wait for the details, but another is already available online at BlackHat's own web site:

A section of that paper describes some vulnerabilities in MiCasaVerde's Vera system. Most of the vulnerabilities are of the form "if an attacker has access to your local wireless network, they can..." and/or "if an attacker has control of MiCasaVerde's servers, they can..."

The key concern, in my opinion, is that MCV's servers effectively have root access to the Vera devices. (The paper describes how an attacker with access to MCV's servers can use the UPnP interface to create root-privileged accounts on the Vera.) Thus if an attacker acquires control of MCV's servers, the attacker has full control of our Vera devices as well.

@MiPolloMole - Forgive my lack of vision, but I'm not perceiving any personal risk in such an attack. I'm not saying that there is not a vulnerability or that it should not be addressed, but it seems to me that the MCV take over vector is less of a threat than a local exploit.

Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras? I just don't see any likelihood of them identifying a single house and then leveraging their MCV access to open doors or do me "harm".

Edit: Thinking about it some more; I suppose with MCV access they could open ALL locks globally in order to open the door they happen to be standing in front of without having to identify a specific house/node on the MCV servers. OK, I see greater risk now, but the local exploit still bothers me more.

Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras?

They'll open a new Network Tunnel from your LAN (the part that's accessible to Vera), to a nice comfy location of their choice where they can take their time to break into more stuff on your LAN as they'll effectively "see" anything on that Network.

Vera just becomes the Gateway to a more interesting attack.

From an access standpoint, this is the equivalent of removing your LAN's Internet Firewall... at least for their use (unless they decide to make that access more widely available to others)

Do you have your SSN, or other PII, stored anywhere on a LAN-based file share? Any unsecured Financial documents, Check account#, Credit card#'s (etc) floating around on your home machines?

Bottom line, it comes down to how comfortable you'd be running your LAN without an Internet Firewall.

Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras? I just don't see any likelihood of them identifying a single house and then leveraging their MCV access to open doors or do me "harm".

I'm not worried about a targeted attack.

But if the sort of person who breaks into other people's computers for fun breaks into MCVs servers, how long would it be until every MCV customer finds their deadbolts mysteriously unlocked?

I just configured my network so that my Vera can only be access from one specific IP address (a PC on my home network). That mitigates the risk for me.

Problem is that viewing ip cam through Vera is too put it lightly garbage. My foscam (maybe the fault lays there) work for 30 seconds and then stop transmitting until I closed the windows and open it again.

For myself I am not too woried , if someone really wants , he/she may switch some lights on or off..... or open my gate. Not nice and I prefer it won't happen.

I do have a question concerning opening ports on my router.

In and arround my house I have installed about 8 Ip camera's, and I use the blue iris programm to watch them ( also remotely) , for blue iris (webcast) I have opened port 20 . I sometimes also want direct feed from the camera's and for that reason I also opened port 50 till 58 .

With these ports open , can someone now (easlily) acces my network ?

I can understand if someone would be able to take over controll of the camera's( so be it) , but I am a bit worried about for example my NAS ( which is connected to my LAN , but I no port forwarded for it).

I would not open up cameras with port forwards though the router ...I use an SSH tunnel. This makes all of my cameras, and any other home network resource I wish to make available on my phone look like a local IP port to the phone ... and all communications is secured through the SSH tunnel.

@Cor - IP cameras are usually Linux based System on a Chip(SoC) devices that are notorious for having network security vulnerabilities in them. Here's the the first search item that came up. They are also notorious for never having their firmware updated, so the vulnerabilities are never fixed. The issue is that the camera's vulnerabilities are exploited and then the camera(computer) is used as a jumping off point to the rest of your network, as @guessed reminded me earlier in this thread. They gain access to the camera and then us it as a gateway to compromised other devices on the network including your NAS. This is why you are seeing people strongly recommend against forwarding ports, especially to cameras.

On another note, you state that you have forwarded ports 20 and 50-58. These are called reserved ports because they are used and reserved for very specific services. For instance port 20 is used for the data channel in FTP and port 53 is used for DNS. By forwarding these ports to specific devices, I would expect unusual and problematic behavior, especially with DNS resolution. Other forms of this type of non-standard, if not just plain wrong, network configuration could possibly be causing the unexplained issues of your other posts. When forwarding ports to non-standard services it is proper to forward ports higher than 1024(the reserved ports).